rule trigger_drop {
    meta:
        description = "Chinese Hacktool Set - file trigger_drop.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "165dd2d82bf87285c8a53ad1ede6d61a90837ba4"
    strings:
        $s0 = "$_GET['returnto'] = 'database_properties.php';" fullword ascii
        $s1 = "echo('<meta http-equiv=\"refresh\" content=\"0;url=' . $_GET['returnto'] . '\">'" ascii
        $s2 = "@mssql_query('DROP TRIGGER" ascii
        $s3 = "if(empty($_GET['returnto']))" fullword ascii
    condition:
        filesize < 5KB and all of them
}
rule users_list {
    meta:
        description = "Chinese Hacktool Set - file users_list.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "6fba1a1a607198ed232405ccbebf9543037a63ef"
    strings:
        $s0 = "<a href=\"users_create.php\">Create User</a>" fullword ascii
        $s7 = "$skiplist = array('##MS_AgentSigningCertificate##','NT AUTHORITY\\NETWORK SERVIC" ascii
        $s11 = "&nbsp;<b>Default DB</b>&nbsp;" fullword ascii
    condition:
        filesize < 12KB and all of them
}
rule trigger_modify {
    meta:
        description = "Chinese Hacktool Set - file trigger_modify.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "c93cd7a6c3f962381e9bf2b511db9b1639a22de0"
    strings:
        $s1 = "<form name=\"form1\" method=\"post\" action=\"trigger_modify.php?trigger=<?php e" ascii
        $s2 = "$data_query = @mssql_query('sp_helptext \\'' . urldecode($_GET['trigger']) . '" ascii
        $s3 = "if($_POST['query'] != '')" fullword ascii
        $s4 = "$lines[] = 'I am unable to read this trigger.';" fullword ascii
        $s5 = "<b>Modify Trigger</b>" fullword ascii
    condition:
        filesize < 15KB and all of them
}
rule oracle_data {
    meta:
        description = "Chinese Hacktool Set - file oracle_data.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "6cf070017be117eace4752650ba6cf96d67d2106"
    strings:
        $s0 = "$txt=fopen(\"oracle_info.txt\",\"w\");" fullword ascii
        $s1 = "if(isset($_REQUEST['id']))" fullword ascii
        $s2 = "$id=$_REQUEST['id'];" fullword ascii
    condition:
        all of them
}
rule item_old {
    meta:
        description = "Chinese Hacktool Set - file item-old.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "daae358bde97e534bc7f2b0134775b47ef57e1da"
    strings:
        $s1 = "$sCmd = \"wget -qc \".escapeshellarg($sURL).\" -O \".$sFile;" fullword ascii
        $s2 = "$sCmd = \"convert \".$sFile.\" -flip -quality 80 \".$sFileOut;" fullword ascii
        $s3 = "$sHash = md5($sURL);" fullword ascii
    condition:
        filesize < 7KB and 2 of them
}
rule reDuhServers_reDuh_2 {
    meta:
        description = "Chinese Hacktool Set - file reDuh.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "512d0a3e7bb7056338ad0167f485a8a6fa1532a3"
    strings:
        $s1 = "errorlog(\"FRONTEND: send_command '\".$data.\"' on port \".$port.\" returned \"." ascii
        $s2 = "$msg = \"newData:\".$socketNumber.\":\".$targetHost.\":\".$targetPort.\":\".$seq" ascii
        $s3 = "errorlog(\"BACKEND: *** Socket key is \".$sockkey);" fullword ascii
    condition:
        filesize < 57KB and all of them
}
rule CN_Tools_old {
    meta:
        description = "Chinese Hacktool Set - file old.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "f8a007758fda8aa1c0af3c43f3d7e3186a9ff307"
    strings:
        $s0 = "$sCmd = \"wget -qc \".escapeshellarg($sURL).\" -O \".$sFile;" fullword ascii
        $s1 = "$sURL = \"http://\".$sServer.\"/\".$sFile;" fullword ascii
        $s2 = "chmod(\"/\".substr($sHash, 0, 2), 0777);" fullword ascii
        $s3 = "$sCmd = \"echo 123> \".$sFileOut;" fullword ascii
    condition:
        filesize < 6KB and all of them
}
rule item_301 {
    meta:
        description = "Chinese Hacktool Set - file item-301.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "15636f0e7dc062437608c1f22b1d39fa15ab2136"
    strings:
        $s1 = "$sURL = \"301:http://\".$sServer.\"/index.asp\";" fullword ascii
        $s2 = "(gov)\\\\.(cn)$/i\", $aURL[\"host\"])" ascii
        $s3 = "$aArg = explode(\" \", $sContent, 5);" fullword ascii
        $s4 = "$sURL = $aArg[0];" fullword ascii
    condition:
        filesize < 3KB and 3 of them
}
rule CN_Tools_item {
    meta:
        description = "Chinese Hacktool Set - file item.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "a584db17ad93f88e56fd14090fae388558be08e4"
    strings:
        $s1 = "$sURL = \"http://\".$sServer.\"/\".$sWget;" fullword ascii
        $s2 = "$sURL = \"301:http://\".$sServer.\"/\".$sWget;" fullword ascii
        $s3 = "$sWget=\"index.asp\";" fullword ascii
        $s4 = "$aURL += array(\"scheme\" => \"\", \"host\" => \"\", \"path\" => \"\");" fullword ascii
    condition:
        filesize < 4KB and all of them
}
rule ChinaChopper_temp_2 {
    meta:
        description = "Chinese Hacktool Set - file temp.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "604a4c07161ce1cd54aed5566e5720161b59deee"
    strings:
        $s0 = "@eval($_POST[strtoupper(md5(gmdate(" ascii
    condition:
        filesize < 150 and all of them
}
rule templatr {
    meta:
        description = "Chinese Hacktool Set - file templatr.php"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "759df470103d36a12c7d8cf4883b0c58fe98156b"
    strings:
        $s0 = "eval(gzinflate(base64_decode('" ascii
    condition:
        filesize < 70KB and all of them
}
rule Txt_php {
    meta:
        description = "Chinese Hacktool Set - Webshells - file php.txt"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-14"
        hash = "eaa1af4b898f44fc954b485d33ce1d92790858d0"
    strings:
        $s1 = "$Config=$_SERVER['QUERY_STRING'];" fullword ascii
        $s2 = "gzuncompress($_SESSION['api']),null);" ascii
        $s3 = "sprintf('%s?%s',pack(\"H*\"," ascii
        $s4 = "if(empty($_SESSION['api']))" fullword ascii
    condition:
        filesize < 1KB and all of them
}
rule Txt_php_2 {
    meta:
        description = "Chinese Hacktool Set - Webshells - file php.html"
        author = "Florian Roth"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-14"
        hash = "a7d5fcbd39071e0915c4ad914d31e00c7127bcfc"
    strings:
        $s1 = "function connect($dbhost, $dbuser, $dbpass, $dbname='') {" fullword ascii
        $s2 = "scookie('loginpass', '', -86400 * 365);" fullword ascii
        $s3 = "<title><?php echo $act.' - '.$_SERVER['HTTP_HOST'];?></title>" fullword ascii
        $s4 = "Powered by <a title=\"Build 20130112\" href=\"http://www.4ngel.net\" target=\"_b" ascii
        $s5 = "formhead(array('title'=>'Execute Command', 'onsubmit'=>'g(\\'shell\\',null,this." ascii
        $s6 = "secparam('IP Configurate',execute('ipconfig -all'));" fullword ascii
        $s7 = "secparam('Hosts', @file_get_contents('/etc/hosts'));" fullword ascii
        $s8 = "p('<p><a href=\"http://w'.'ww.4'.'ng'.'el.net/php'.'sp'.'y/pl'.'ugin/\" target=" ascii
    condition:
        filesize < 100KB and 4 of them
}
rule PasswordProtection
{
    strings:
        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase
    condition:
        (any of them) 
}
rule ObfuscatedPhp_Modified
{
    strings:
        $b374k = "'ev'.'al'"
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
        $too_many_chr = /(chr\([\d]+\)\.){7}/  // concatenation of more than eight `chr()`
condition:
        any of them and not whitelist
}
rule DodgyPhp
{
    strings:  
        $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
        $htaccess = "SetHandler application/x-httpd-php"
        $iis_com = /IIS:\/\/localhost\/w3svc/
        $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
        $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_execute|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/
        $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
        $double_var = /\${\s*\${/
		$extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/
    condition:
        (any of them) 
}
rule DangerousPhp_Modified
{
    strings:
        $ = "array_filter" fullword nocase
        $ = "assert" fullword nocase
        $ = "eval" fullword nocase
        $ = "fpassthru" fullword nocase
        $ = "fsockopen" fullword nocase
        $ = "getmygid" fullword nocase
        $ = "shmop_open" fullword nocase
        $ = "mb_ereg_replace_callback" fullword nocase
        $ = "passthru" fullword nocase
        $ = /pcntl_(exec|fork)/ fullword nocase
        $ = "php_uname" fullword nocase
        $ = "phpinfo" fullword nocase
        $ = "posix_geteuid" fullword nocase
        $ = "posix_getpgid" fullword nocase
        $ = "posix_getppid" fullword nocase
        $ = "posix_getpwuid" fullword nocase
        $ = "posix_getsid" fullword nocase
        $ = "posix_getuid" fullword nocase
        $ = "posix_kill" fullword nocase
        $ = "posix_setegid" fullword nocase
        $ = "posix_seteuid" fullword nocase
        $ = "posix_setpgid" fullword nocase
        $ = "posix_setsid" fullword nocase
        $ = "preg_replace_callback" fullword
        $ = "proc_open" fullword nocase
        $ = "proc_close" fullword nocase
        $ = "popen" fullword nocase
        $ = "register_tick_function" fullword nocase
        $ = "shell_exec" fullword nocase
        $ = "shm_open" fullword nocase
        $ = "show_source" fullword nocase
        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
        $ = "win32_create_service" fullword nocase
        $ = "xmlrpc_decode" fullword nocase nocase
        $whitelist = /escapeshellcmd|escapeshellarg/ nocase
    condition:
        (not $whitelist and (6 of them)) 
}
rule php_anuna
{
    meta:
        author      = "Vlad https://github.com/vlad-s"
        date        = "2016/07/18"
        description = "Catches a PHP Trojan"
    strings:
        $a = /<\?php \$[a-z]+ = '/
        $b = /\$[a-z]+=explode\(chr\(\([0-9]+[-+][0-9]+\)\)/
        $c = /\$[a-z]+=\([0-9]+[-+][0-9]+\)/
        $d = /if \(!function_exists\('[a-z]+'\)\)/
    condition:
        all of them
}
rule chinese_spam_spreader : webshell
{
    meta:
        author      = "Vlad https://github.com/vlad-s"
        date        = "2016/07/18"
        description = "Catches chinese PHP spam files (autospreaders)"
    strings:
        $a = "User-Agent: aQ0O010O"
        $b = "<font color='red'><b>Connection Error!</b></font>"
        $c = /if ?\(\$_POST\[Submit\]\) ?{/
    condition:
        all of them
}
rule chinese_spam_echoer : webshell
{
    meta:
        author      = "Vlad https://github.com/vlad-s"
        date        = "2016/07/18"
        description = "Catches chinese PHP spam files (printers)"
    strings:
        $a = "set_time_limit(0)"
        $b = "date_default_timezone_set('PRC');"
        $c = "$Content_mb;"
        $d = "/index.php?host="
    condition:
        all of them
}
rule fire2013 : webshell
{
    meta:
        author      = "Vlad https://github.com/vlad-s"
        date        = "2016/07/18"
        description = "Catches a webshell"
    strings:
        $a = "eval(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61"
        $b = "yc0CJYb+O//Xgj9/y+U/dd//vkf'\\x29\\x29\\x29\\x3B\")"
    condition:
        all of them
}
rule misc_php_exploits
{
meta:
	author = "@patrickrolsen"
	version = "0.5"
	data = "08/19/2014"
	reference = "Virus Total Downloading PHP files and reviewing them..."
strings:
	$php = "<?php" nocase
	$s1 = "eval(gzinflate(str_rot13(base64_decode("
	$s2 = "eval(base64_decode("
	$s3 = "eval(gzinflate(base64_decode("
	$s4 = "cmd.exe /c"
	$s5 = "DTool Pro"
	$s6 = "urldecode(stripslashes("
	$s7 = "preg_replace(\"/.*/e\",\"\\x"
	$s8 = "<?php echo \"<script>"
	$s9 = "'o'.'w'.'s'" // 'Wi'.'nd'.'o'.'w'.'s'
	$s10 = "preg_replace(\"/.*/\".'e',chr"
	$s11 = "exp1ode"
	$s12 = "cmdexec(\"killall ping;"
	$s13 = "ms-mx.ru"
	$s14 = "N3tsh_"
	$s15 = "eval(\"?>\".gzinflate(base64_decode("
	$s16 = "Your MySQL database has been backed up"
	$s17 = "Idea Conceived By"
	$s18 = "ncftpput -u $ftp_user_name -p $ftp_user_pass"
	$s19 = "eval(gzinflate(base64_decode("
condition:
	not uint16(0) == 0x5A4D and $php and any of ($s*)
}
rule zend_framework
{
meta:
	author = "@patrickrolsen"
	maltype = "Zend Framework"
	version = "0.3"
	date = "12/29/2013"
strings:
	$php = "<?php"
	$s = "$zend_framework" nocase
condition:
	not uint16(0) == 0x5A4D and $php and $s
}
rule misc_shells_Modified
{
meta:
	author = "@patrickrolsen"
	version = "0.3"
	data = "08/19/2014"
strings:
	$s1 = "second stage dropper"
	$s2 = "SO dumped "
	$s3 = "killall -9 "
	$s4 = "This server has been infected by"
	$s5 = "faim.php"
	$s6 = "FILE UPLOADED TO $"
	$s7 = "$auth_pass ="
	$s8 = "Safe_Mode Bypass"  fullword nocase wide ascii
	$s9 = "Find *config*.php"
	$s10 = "Show running services"
	$s11 = "Show computers"
	$s12 = "Show active connections"
	$s13 = "ARP Table"
	$s14 = "Last Directory"
	$s15 = ".htpasswd files"
	$s16 = "suid files"
	$s17 = "writable folders"
	$s18 = "config* files"
	$s19 = "show opened ports"
	$s20 = ".pwd files"
	$s21 = "locate config."
	$s22 = "history files"
	$s23 = "<?php @eval($_POST['cmd']);?>"
	$s24 = "securityprobe.net"
	$s25 = "ccteam.ru"
	$s26 = "c99sh_sources"
	$s27 = "c99mad"
	$s28 = "CMD ExeCute"
	$s29 = "c99_sess_put"
	$s30 = "(\"fs_move_"
	$s31 = "c99sh_bindport_"
	$s32 = "hey,specify directory!"
	$s33 = "Change this to your password"
	$s34 = "ps -aux"
	$s35 = "p4ssw0rD"
	$s36 = "Ajax Command Shell by"
	$s37 = "greetings to everyone in rootshell"
	$s38 = "We now update $work_dir to avoid things like"
	$s39 = "ls looks much better with"
	$s40 = "I Always Love Sha"
	$s41 = "fileperm=substr(base_convert(fileperms"
	$s42 = "W A R N I N G: Private Server"
	$s43 = "for power security"
	$s44 = "[kalabanga]"
	$s45 = "GO.cgi"
	$s46 = "eval(gzuncompress(base64_decode("
	$s47 = "ls -lah"
	$s48 = "execute command:"
	$s49 = "imageshack.us"
	$s50 = "For Server Hacking"
	$s51 = "Private Exploit"
	$s52 = "Safe Mode Shell"
	$s53 = "ending mail to $to......."
	$s54 = "Mysql interface"
	$s55 = "MySQL Database Backup"
	$s56 = "mysql_tool.php?act=logout"
	$s57 = "Directory Lister"
	$s58 = "username and pass here"
condition:
	not uint16(0) == 0x5A4D and any of ($s*)
}
rule shell_names
{
meta:
	author = "@patrickrolsen"
	version = "0.3"
	data = "08/19/2014"
	reference = "N/A"
strings:
	$s1 = "faim.php"
	$s2 = "css5.php"
	$s3 = "groanea.php"
	$s4 = "siler.php"
	$s5 = "w.php" fullword
	$s6 = "atom-conf.php"
	$s7 = "405.php"
	$s8 = "pack2.php"
	$s9 = "r57shell.php"
	$s10 = "entrika.php"
	$s11 = "dra.php"
	$s12 = "lol.php"
	$s13 = "php-backdoor.php"
	$s14 = "aspxspy.aspx"
	$s15 = "c99.php"
	$s16 = "c99shell.php"
	$s17 = "fx29sh.php"
	$s18 = "azrailphp.php"
	$s19 = "CmdAsp.asp"
	$s20 = "dingen.php"
condition:
	not uint16(0) == 0x5A4D and any of ($s*)
}
rule fopo
{
    meta:
        description = "Free Online PHP Obfuscator"
        family = "PHP.Obfuscated"
        filetype = "PHP"
        hash = "b96a81b71d69a9bcb5a3f9f4edccb4a3c7373159d8eda874e053b23d361107f0"
        hash = "bbe5577639233b5a83c4caebf807c553430cab230f9a15ec519670dd8be6a924"
        hash = "a698441f817a9a72908a0d93a34133469f33a7b34972af3e351bdccae0737d99"
    strings:
        $base64_decode = /\$[a-zA-Z0-9]+=\"\\(142|x62)\\(141|x61)\\(163|x73)\\(145|x65)\\(66|x36)\\(64|x34)\\(137|x5f)\\(144|x64)\\(145|x65)\\(143|x63)\\(157|x6f)\\(144|x64)\\(145|x65)\";@eval\(/
    condition:
        all of them
}
rule eval_statement
{
    meta:
        description = "Obfuscated PHP eval statements"
        family = "PHP.Obfuscated"
        filetype = "PHP"
        hash = "9da32d35a28d2f8481a4e3263e2f0bb3836b6aebeacf53cd37f2fe24a769ff52"
        hash = "8c1115d866f9f645788f3689dff9a5bacfbee1df51058b4161819c750cf7c4a1"
        hash = "14083cf438605d38a206be33542c7a4d48fb67c8ca0cfc165fa5f279a6d55361"
    strings:
        $obf = /eval[\( \t]+((base64_decode[\( \t]+)|(str_rot13[\( \t]+)|(gzinflate[\( \t]+)|(gzuncompress[\( \t]+)|(strrev[\( \t]+)|(gzdecode[\( \t]+))+/
    condition:
        all of them
}
rule PAS_TOOL_PHP_WEB_KIT
{
    meta:
        description = "PAS TOOL PHP WEB KIT FOUND"
        source = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity"
        filetype = "PHP"
    strings:
        $php = "<?php"
        $base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/ 
        $strreplace = "(str_replace("
        $md5 = ".substr(md5(strrev("
        $gzinflate = "gzinflate"
        $cookie = "_COOKIE"
        $isset = "isset"
    condition:
        (filesize > 20KB and filesize < 22KB) and
        #cookie == 2 and
        #isset == 3 and
        all of them
}
rule pbot
{
    meta:
        description = "PHP IRC Bot"
        family = "Backdoor.PHP.Pbot"
        filetype = "PHP"
        hash = "cd62b4c32f0327d06dd99648e44c85560416a40f6734429d3e89a4c5250fd28e"
        hash = "80fb661aac9fcfbb5ae356c5adc7d403bf15da9432b5e33fbbed938c42fdde3c"
        hash = "6873bcc7f3971c42564a5fb72d5963b1660c6ff53409e496695523c1115e9734"
    strings:
        $class = "class pBot" ascii
        $start = "function start(" ascii
        $ping = "PING" ascii
        $pong = "PONG" ascii
    condition:
        all of them
}